An operating system typically provides the execution environment in which one or more executables (e.g., computer programs) may run. However, some executables, such as Windows® Script Host, Windows® PowerShell, Java Virtual Machine, Python interpreter, and/or the like, may also provide a sub-execution environment for executing other program code. That is, an executable may receive program code (e.g., text, bytecode) as input and perform the corresponding operations via an internal runtime, interpreter, and/or virtual machine. For instance, Windows® CScript utility (e.g., CScript.exe) may host a sub-execution environment (e.g., an ActiveScript engine) for executing various VisualBasic Script (VBS) files passed to the CScript utility as input. Notably, an otherwise benign executable such as Windows® CScript utility may nevertheless perform malicious operations when provided with input, such as malicious program code, that may cause malicious and/or unwanted behavior. This latent malicious behavior may evade conventional malware detection techniques, which are generally predicated upon an initial determination of the executable as malicious or benign.